Hi Marcin, I would put an access-class on your vty lines to allow ssh only from trusted hosts. Either that or put an access-list on your outside interface. Oh, and look up the abuse contact for that domain and report them. It's probably someone trying a brute force on your ssh server. HTH Cheers, Neil On Thursday 01 February 2007 19:46, Marcin wrote: > Hi! > > im running Cisco IOS software on 2801 router (C2801-ADVIPSERVICESK9-M), > Version 12.4(3e), RELEASE SOFTWARE (fc2). I have few problems and i have > seen strange behavior: after few hours there was no responding from router, > no nat etc. After restart everything was ok for 10-12 hours. > > I have ONLY one user name to permit logon via ssh to router: marcin and > not dictionary password (14 symbols) > > I logon 2 hours ago and i use command "who". I was very surprised, because > i saw something in 1 minute 2 different usernames and NO USERNAME on vty > 194. > > i looks like that: > > router#who > Line User Host(s) Idle Location > vty 194 idle 00:00:01 nt.math.nknu.edu.tw > * vty 195 marcin idle 00:00:00 > 210-az4-2.acn.waw.pl > > Interface User Mode Idle Peer Address > > router#who > Line User Host(s) Idle Location > vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw > * vty 195 marcin idle 00:00:00 > 210-az4-2.acn.waw.pl > > Interface User Mode Idle Peer Address > > router#who > Line User Host(s) Idle Location > vty 194 idle 00:00:01 nt.math.nknu.edu.tw > * vty 195 marcin idle 00:00:00 > 210-az4-2.acn.waw.pl > > Interface User Mode Idle Peer Address > > router#who > Line User Host(s) Idle Location > vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw > * vty 195 marcin idle 00:00:00 > 210-az4-2.acn.waw.pl > > router#who > Line User Host(s) Idle Location > vty 194 idle 00:00:01 > nt.math.nknu.edu.tw > * vty 195 marcin idle 00:00:00 > 210-az4-2.acn.waw.pl > > > router#sh users > Line User Host(s) Idle Location > vty 194 akrizan idle 00:00:40 nt.math.nknu.edu.tw > * vty 195 marcin idle 00:00:00 > 210-az4-2.acn.waw.pl > > What is going on? have you heard about similar incident? > > Best regards > > Marcin
Attachment:
pgppO74vHCH3u.pgp
Description: PGP signature